From d09a84c26c421658d34766f79151cc13f6f042e1 Mon Sep 17 00:00:00 2001 From: Ian Gulliver Date: Sun, 10 Apr 2016 23:38:02 +0000 Subject: [PATCH] Downloadable pfx files. --- certclient.py | 2 +- oauthproxy.py | 64 ++++++++++++++++++++++++++++++++++++++++++++++++--- 2 files changed, 62 insertions(+), 4 deletions(-) diff --git a/certclient.py b/certclient.py index ffca545..b1627db 100755 --- a/certclient.py +++ b/certclient.py @@ -26,7 +26,6 @@ parser.add_argument( dest='server', action='store', required=True) -FLAGS = parser.parse_args() class CertClient(object): @@ -58,4 +57,5 @@ def main(): if __name__ == '__main__': + FLAGS = parser.parse_args() main() diff --git a/oauthproxy.py b/oauthproxy.py index f13f55a..6c173c6 100755 --- a/oauthproxy.py +++ b/oauthproxy.py @@ -2,6 +2,7 @@ import argparse from oauth2client import client +import certclient import os from urllib import parse import requests @@ -23,6 +24,36 @@ parser.add_argument( dest='api_key', action='store', required=True) +parser.add_argument( + '--ca-cert', + dest='ca_cert', + action='store', + required=True) +parser.add_argument( + '--certserver-ca-cert', + dest='certserver_ca_cert', + action='store', + required=True) +parser.add_argument( + '--certserver-client-cert', + dest='certserver_client_cert', + action='store', + required=True) +parser.add_argument( + '--certserver-client-key', + dest='certserver_client_key', + action='store', + required=True) +parser.add_argument( + '--certserver', + dest='certserver', + action='store', + required=True) +parser.add_argument( + '--export-password', + dest='export_password', + action='store', + required=True) parser.add_argument( '--listen-host', dest='listen_host', @@ -58,10 +89,13 @@ class HTTPServer6(server.HTTPServer): class OAuthProxy(object): - def __init__(self, listen_host, listen_port, server_key, server_cert, api_key, allowed_domain, subject): + def __init__(self, listen_host, listen_port, server_key, server_cert, api_key, allowed_domain, subject, ca_cert, export_password, certclient): self._api_key = api_key self._allowed_domain = allowed_domain self._subject = subject + self._ca_cert = ca_cert + self._export_password = export_password + self._certclient = certclient HANDLERS = { '/': self._ServeRedirect, @@ -115,7 +149,21 @@ class OAuthProxy(object): '-out', csr_path, '-subj', self._subject.replace('EMAIL', email), ]) - return open(csr_path, 'rb').read() + csr = open(csr_path, 'rb').read() + cert = self._certclient.Request(csr) + proc = subprocess.Popen([ + 'openssl', 'pkcs12', '-export', + '-inkey', key_path, + '-certfile', self._ca_cert, + '-passout', self._export_password, + ], + stdin=subprocess.PIPE, + stdout=subprocess.PIPE) + proc.stdin.write(cert.encode('ascii')) + proc.stdin.close() + ret = proc.stdout.read() + assert proc.wait() == 0 + return ret def _ServeRedirect(self, req): req.send_response(302) @@ -139,11 +187,18 @@ class OAuthProxy(object): assert email.endswith('@%s' % self._allowed_domain) result = self._GetCert(email) req.send_response(200) + req.send_header('Content-Type', 'application/x-pkcs12') + req.send_header('Content-Disposition', 'attachment; filename=%s.pfx' % email) req.end_headers() req.wfile.write(result) def main(): + client = certclient.CertClient( + FLAGS.certserver, + FLAGS.certserver_ca_cert, + FLAGS.certserver_client_cert, + FLAGS.certserver_client_key) server = OAuthProxy( FLAGS.listen_host, FLAGS.listen_port, @@ -151,7 +206,10 @@ def main(): FLAGS.server_cert, FLAGS.api_key, FLAGS.allowed_domain, - FLAGS.subject) + FLAGS.subject, + FLAGS.ca_cert, + FLAGS.export_password, + client) server.Serve()